summaryrefslogtreecommitdiff
path: root/src/net/packetnet.cil
blob: 27e828e31f1cb19437923dd43afc90c7f9a760fd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense

(class packet (forward_in forward_out recv relabelto send))
(classorder (unordered packet))

(macro forward_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (forward_in forward_out))))

(macro forwardin_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (forward_in))))

(macro forwardout_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (forward_out))))

(macro recv_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (recv))))

(macro recvsend_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (recv send))))

(macro relabelto_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (relabelto))))

(macro send_invalid_packets ((type ARG1))
       (allow ARG1 invalid (packet (send))))

(tunableif invalid_packets
	   (true

	    (call forward_invalid_packets (invalidpackets.except.typeattr))
	    (call recvsend_invalid_packets (invalidpackets.except.typeattr))))

(tunableif (or invalid_associations invalid_peers)
	   (true

	    (call forward_invalid_packets (invalid))

	    (call net.packet.forward_all_packets (invalid))))

(in ibac

    (constrain (packet (relabelto))
	       (or (or (or (eq u1 u2)
			   (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id)))
		       (eq t1 objchange.typeattr))
		   (eq t1 exempt.typeattr))))

(in invalid.unconfined

    (allow typeattr .invalid (packet (not relabelto))))

(in mcs

    (mlsconstrain (packet (relabelto))
		  (or (neq t1 constrained.typeattr)
		      (and (dom h1 h2) (eq l2 h2))))

    (mlsconstrain (packet (forward_in forward_out send recv))
		  (or (dom h1 h2)
		      (and
		       (neq t1 constrained.typeattr)
		       (neq t2 constrained.typeattr)))))

(in rbac

    (constrain (packet (relabelto))
	       (or (or (or (eq r1 r2)
			   (and (eq t1 objchangesys.typeattr)
				(eq r2 .sys.role)))
		       (eq t1 objchange.typeattr))
		   (eq t1 exempt.typeattr))))

(in net

    (blockinherit packet.template)

    (block packet

      (macro type ((type ARG1))
	     (typeattributeset typeattr ARG1))

      (typeattribute typeattr)

      (blockinherit all_macro_template)

      (call .mcs.constrained.type (typeattr))

      (call .obj.type (typeattr))

      (block all_macro_template

	(blockabstract all_macro_template)

	(macro forward_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (forward_in forward_out))))

	(macro forwardin_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (forward_in))))

	(macro forwardout_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (forward_out))))

	(macro recv_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (recv))))

	(macro recvsend_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (recv send))))

	(macro relabelto_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (relabelto))))

	(macro send_all_packets ((type ARG1))
	       (allow ARG1 typeattr (packet (send)))))

      (block base_template

	(blockabstract base_template)

	(context packet_context (.sys.id .sys.role packet lowlevelrange))

	(type packet)
	(call .net.packet.type (packet)))

      (block macro_template

	(blockabstract macro_template)

	(macro forward_packets ((type ARG1))
	       (allow ARG1 packet (packet (forward_in forward_out))))

	(macro forwardin_packets ((type ARG1))
	       (allow ARG1 packet (packet (forward_in))))

	(macro forwardout_packets ((type ARG1))
	       (allow ARG1 packet (packet (forward_out))))

	(macro recv_packets ((type ARG1))
	       (allow ARG1 packet (packet (recv))))

	(macro recvsend_packets ((type ARG1))
	       (allow ARG1 packet (packet (recv send))))

	(macro relabelto_packets ((type ARG1))
	       (allow ARG1 packet (packet (relabelto))))

	(macro send_packets ((type ARG1))
	       (allow ARG1 packet (packet (send)))))

      (block template

	(blockabstract template)

	(blockinherit .net.packet.base_template)
	(blockinherit .net.packet.macro_template))

      (block unconfined

	(macro type ((type ARG1))
	       (typeattributeset typeattr ARG1))

	(typeattribute typeattr)

	(allow typeattr packet.typeattr (packet (all))))))

(in net.unconfined

    (call .net.packet.unconfined.type (typeattr)))
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-20 18:15:02 +0000